Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch

Posted by samzenpus on from the long-road-coming dept.

An anonymous reader writes "After the Department of Homeland Security's US-CERT warned users to disable Java to stop hackers from taking control of users' machines, Oracle issued an emergency patch on Sunday. However, HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. 'The safest thing to do at this point is just assume that Java is always going to be vulnerable,' Moore said."

10 of 320 comments (clear)

  1. Re:So long/The way the future was by tripleevenfall · · Score: 5, Funny

    This might seriously impede the Year of Java on the Desktop

  2. Re:So long/The way the future was by Anonymous Coward · · Score: 5, Funny

    Sure, Java will be dead in 5 years.. just like COBOL.

  3. Re:Fact free claims by HaZardman27 · · Score: 2, Funny

    Microsoft told him that in a message that included a "Welcome to C#!" brochure.

    --
    Apparently wizard is not a legitimate career path, so I chose programmer instead.
  4. Re:Two years? by Anonymous Coward · · Score: 0, Funny

    Put away the hard-on for Larry Ellison and calm down.

  5. Re:So long/The way the future was by gabereiser · · Score: 3, Funny

    I think he meant Kobol, the originating planet of the thirteen tribes.... Took a lot longer than 5 years to die but then again, the Galactica found it in ruin and didn't stay for archeological studies...

  6. Re:WTF is the deal with Java and being so insecure by Anonymous Coward · · Score: 0, Funny

    Javascript has NOTHING to do with java.

    Actually, they're both rather mediocre programming languages in their own miserable ways. They have that in common.

  7. Re:Browser Plugins are Always Vulnerable by Wrath0fb0b · · Score: 3, Funny

    But there are also well-documented CSS vulnerabilities, XUL exploits and even one in a JPG parser.

    Should we disable those as well? Are you part of some guerrilla marketing campaign to bring back Lynx?

  8. Re:So long/The way the future was by BotnetZombie · · Score: 4, Funny

    Perhaps the time is right for a COBOL browser plugin?

  9. Re:Java used to be secure and sandboxed by Anonymous Coward · · Score: 5, Funny

    This is absolutely not true. This vulnerability was a zero-day exploit. Zero-day means, by definition, nobody knew about it except the guys who wrote the exploit. We learned about this exploit last Thursday and had a fix on Sunday. Folks were up working around the clock to get the fix out.

    We take security exploits incredibly seriously. Three times a year Oracle produces "critical patch updates" and we're working hard to clear out every bug from our backlog related to security, at the expense of new feature development. The suggestion that Oracle doesn't care about fixing these security problems is simply not true.

  10. Re:Browser Plugins are Always Vulnerable by Anonymous Coward · · Score: 4, Funny

    Personally I'd vote for bringing back gopher! And if that means we "lose" that blinged out "web-2.0" crap, it's not a day too soon.